In this article, you will learn what the OWASP Core Rule Set (CRS) is and how you can use it to protect your website.
What is the OWASP Core Rule Set?
The OWASP Core Rule Set (CRS) is a tool that you can use to protect your website against generic attacks. Attacks are considered generic if they target widespread security vulnerabilities rather than a specific application or technology. The CRS is a set of rules that can be used to detect such attacks. All requests to a website are analyzed according to these rules. If a request meets the criteria of one or more rules, access to the website is blocked. If not, then access is allowed.
The CRS thus helps to detect potential threats and increase the security of your website. It protects against a wide range of attacks, such as SQL injection and cross-site scripting. For more information on the most common attacks that the CRS protects against, please visit the OWASP Core Rule Set website.
The CRS is developed and maintained by Open Worldwide Application Security Project (OWASP), a non-profit organization that aims to improve the security of applications, services and software.
Usage at Hostpoint
OWASP CRS is disabled by default at Hostpoint. You can enable it yourself in the Hostpoint Control Panel. You can find out how to do this in the “Enabling OWASP CRS” section.
As the CRS rules are very strict, legitimate access requests may also sometimes be blocked. These are referred to as false positives. To avoid this, you can weaken or even deactivate the rules individually using exclusion plugins and exclude rules.
Exclusion plugins
There are plugins for some of the most common content management systems (CMS) (e.g. WordPress) that can be used to weaken the CRS rules. These plugins are also referred to as exclusion plugins. If there is such a plugin for the CMS you are using, we recommend enabling it.
Exclude rules
If the CRS is too strict for you despite the enabled plugin or if there is no plugin for your CMS, you can disable individual rules. This allows you to adapt the CRS even more precisely to your needs.
To add such an exception rule (also known as an “exclude rule”), you need the ID of that rule. You can find this in your website’s error log, which you can download via the Hostpoint Control Panel, for example. Blocked requests to your website are logged and assigned the ID of the corresponding rule in the error log. The easiest way to find the affected request is to search for the time or IP address in the file.
The following example shows a request that was blocked by the OWASP CRS. If the access is considered legitimate and you do not want such a request to be blocked, you can add the rule ID (marked in red) to the “Exclude Rule IDs”.
[Tue Jan 07 02:43:43.657734 2025] [-:error] [pid 78379:tid 38756085760] ModSecurity: Warning. Matched phrase ".env" at REQUEST_FILENAME. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "143"] [id "930130"] [msg "Restricted File Access Attempt"] [data "Matched Data: .env found within REQUEST_FILENAME: /.env"] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "your-own-domain.ch"] [uri "/.env"] [unique_id "Z3yGz6UWH6z-1DWgHdR_DwAAAPA"
Enabling OWASP CRS
To enable the OWASP CRS, please proceed as follows:
- Log into the Hostpoint Control Panel with your Hostpoint ID.
- Open your web hosting.
- Choose “Websites” in the menu on the left.
- Click “Edit” for the desired website.
→ You will see an overview of the settings for the website. - Scroll down to the “Web application firewall (WAF)” section and click “Edit” for “OWASP Core Rule Set (CRS)”.
- Enable the OWASP CRS.
- If you wish, you can also enable an exclusion plugin or configure Exclude Rule IDs here.
→ The OWASP CRS has been enabled.
Additional information
Detailed information on OWASP and the Core Rule Set can also be found at:
- OWASP: https://owasp.org/
- Core Rule Set: https://coreruleset.org/ and https://owasp.org/www-project-modsecurity-core-rule-set/
For support requests please use this form instead.